7 Reasons Security Firms Believe the Russian State Hacked the DNC

How do we really know that the breaches of the Democratic National Committee were conducted by organizations working on behalf of the Russian state? With the CIA considering a major counterstrike against the superpower, as NBC has reported, it’s worthwhile for the public to measure how confident we can be that Putin’s government actually deserves retribution.

“When you’re investigating a cybersecurity breach, no one knows whether you’re a Russian hacker or a Chinese hacker pretending to be a Russian hacker or even a U.S. hacker pretending to be a Chinese hacker pretending to be a Russian hacker,” reporter Jordan Robertson says during the third episode of a solid new podcast from Bloomberg, called “Decrypted.” In the new episode, he and fellow reporter Aki Ito break down the facts that put security experts beyond a reasonable doubt that the hack was in fact an operation of the Russian state.

Here are the key points:

Familiar techniques.Crowdstrike came in first, once DNC IT teams suspected breaches and recognized the techniques of the two groups it calls Cozy Bear and Fancy Bear. Others refer to them as APT 28 and 29, where APT stands for “Advanced Persistent Threat.” Crowdstrike’s co-founder Dmitri Alperovitch broke down his reasoning on its blog, writing, “We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis.”

Redundancy is Russian. The Crowdstrike post explains that the fact that two organizations were inside and apparently not working together is consistent with Russian operations. “While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario,” Alperovitch writes.

Such nice code. Bloomberg turns to an ex-cop at one of the companies that Crowdstrike recruited to check its work, Mike Buratowski at Fidelis. His company put the code discovered on DNC servers into a virtual environment to test it. “You look at the complexity of what the malware was able to do. The fact that it had the ability to, basically, terminate itself and wipe its tracks, hide its tracks. You know, that’s not stuff you see in commoditized malware, really,” Buratowski said. In other words, this wasn’t the kind of malware a cybercriminal could buy on the black market. It was bespoke stuff made by teams of pros. Buratowski later calls the code “elegant.” Motherboard gives examples of phishing emails used, which showed careful attention to detail. Too good, he contends, for one person or a small team to build.

Russian keyboards and timestamps. Investigators found evidence in the code that it had been written on a Russian style keyboard and found timestamps across multiple pieces of code consistent with the Russian workday.

Motive. This was an extremely complex hack that took a lot of time and effort. Again, the Crowdstrike post helps here. It discusses evidence that the spies returned to the scene of the crime repeatedly to change out code to avoid detection. Buratowski refers to it as an entity with more operational discipline than an individual or a loose group could sustain. Which begs the question: who but a nation-state would have sufficient motive to work that hard? Further, the same groups were linked both to the hacks on John Podesta and Colin Powell, which suggests a multi-front initiative. That goes beyond what a hacker collective might do for bragging rights or lulz.

Information war. The DNC emails dropped the day before the party’s national convention. “Releasing the emails the evening before the convention started? Now you’re looking at it like: that really smacks of an information operation,” Buratowski says.

Official attribution from the US government. Washington sees evidence of breaches all the time. It seldom points the finger at specific states, the Decrypted team argues. The fact that it has is powerful. “There are ways the government can really know what’s going on,” Robertson said, “in a way that no private cybersecurity could ever match.”

From there, the podcast asks: what does this hack mean for the U.S. election. They come to basically the same conclusions that the Observer did in September: voting systems are very safe—voter rolls are less so, but nation-states probably want to discredit our system more than they want to change outcomes.

How sure can we be? Buratowski says, “Barring seeing someone at a keyboard or a confession, you’re relying on that circumstantial evidence.” So, we can never really know for sure. In fact, even Crowdstrike’s attribution is based on prior experience, which assumes that they have attributed other hacks correctly in the past. Former congressional staffer Richard Diamond in USA Today argues that the hacks can be explained by bad passwords, but he also neglects to counter Crowdstrike’s descriptions of the sophisticated code placed inside the servers. From Bloomberg’s version of events, how the hackers got in was really the least interesting part of their investigation.

So what does it all mean? It’s natural for political junkies to wonder if there might be further disclosures coming before Election Day, but—if this is an information operation—it might be even more disruptive to hold documents until after the election in order to throw doubt on our final choice. Either way, further disclosures will probably come.